So far 2010 hasn't been kind to the Microsoft Internet Explorer Web browser. It is only March, and Microsoft is releasing the second emergency out-of-band patch to respond to a zero-day exploit in the wild.

Microsoft released security bulletin MS10-018 today--an update rated as Critical which includes 10 patches affecting all versions of Internet Explorer, including the current zero-day exploit being used to attack IE6 and IE7 browsers. Exploit code for the IE zero-day, dubbed "iepeers", is circulating on the Internet.

Qualys CTO Wolfgang Kandek wrote a blog post stating "Microsoft's decision to accelerate the release rather than waiting until next Patch Tuesday on April 13th is an indication that attacks against the "iepeers" vulnerability are on the rise."

Andrew Storms, Director of Security Operations for nCircle, stresses "Microsoft has a strong commitment to their regular monthly patch cycle, so issuing this patch clearly shows the elevated threat levels related to this zero-day bug. Users that are slow to patch risk remote code execution attacks that can take over a computer."

nCircle's Storms declares "All users should install this new patch immediately, and if you haven't already upgraded to IE8, now is a very good time to seriously consider it."

Kandek concurs with that assessment, stating "All users of Internet Explorer 6 and 7 should patch immediately, as the exploit for these versions in known and becoming more popular."

It is worth noting that IE8 is not affected by the zero-day exploit that drove the urgency for this out-of-band update. However, the security bulletin addresses a range of Internet Explorer flaws, including two other critical vulnerabilities that do affect Internet Explorer 8.

Kandek cautions "IT Admins will have to decide whether they can take the risk of patching IE8 only during next Patch Tuesday--two weeks out--or whether to patch sooner and incur the cost of having two separate patch days."

Microsoft responded with unusual expediency to this zero-day exploit, leading many to question how Microsoft was able to develop a patch so quickly. The answer, according to Storms, is "the bug was responsibly disclosed to them before it became public." Basically--it was a zero-day to the general public, but Microsoft was already aware of it and actively researching the fix.

There is another known zero-day vulnerability for Internet Explorer that is not addressed in this update, and Microsoft is still investigating the flaw used to hack Internet Explorer 8 and compromise a fully-patched Windows 7 system at the recent Pwn2Own competition, so Microsoft will still be hard at working patching Internet Explorer.

One thing is increasingly clear with each passing exploit--organizations need to abandon Internet Explorer 6 as soon as possible, and make the switch from Windows XP to Windows 7. Windows 7 and IE* are not impervious--as illustrated by the Pwn2Own contest, but attacking IE6--especially when its running on Windows XP--is just trivial at this point.

Slideshows

ARN Exchange: Channel discusses security spending priorities

Customers spending priorities, drawing up a security strategy for customers and partners, detailing how partners can increase profit through security and outlining key areas of market growth ahead were some of the topics discussed at the ARN Exchange event in Sydney. Partners got together to talk about the spending priorities of customers within the security market today and the skills required from partners to deliver those services. The event was in association with Juniper Networks, Webroot, Cloud Plus and Mimecast. Photos by Christine Wong.

What are the spending priorities of customers within the security market today and what are the skills required from partners to deliver those services? An overview of the security market in Australia was debated in the ARN Exchange event in Melbourne with discussions covering the customers spending priorities, drawing up a security strategy for customers and partners, detailing how partners can increase profit through security and outlining key areas of market growth ahead. The event was in association with Juniper Networks, Webroot, Cloud Plus and Mimecast. Photos by Raymond Korn.

The channel came together for the forth running of the ARN Emerging Leaders Forum in Australia, created to provide a program that identifies, educates and showcases the upcoming talent of the ICT industry.
Hosted as a half day forum, attendees heard from industry specialists as keynoters and panellists discussed leadership paths and career choices. Hall of Fame members and industry mentors​ hosted small groups of future leaders to mentor and advise.
This also marked ARN's inaugural 30 Under 30 Tech Awards, which recognised young talent in the Australian IT industry across technical, sales, marketing, management, human resources and entrepreneur categories.
Photos by Christine Wong.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.